Overview

overview

10

Static

static

3

4e316e27c5...45.dll

windows7-x64

10

4e316e27c5...45.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-10-2024 18:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4e316e27c53cdbe1c45f5dc77bdd077ec55a9c0b399dc0680f8d73e5f579b745.dll

  • Size

    668KB

  • MD5

    1b93b4a0fc966e6a9bc34b5930c0177d

  • SHA1

    b646f6d379fcbec61abc34461c7a5b886d317e1f

  • SHA256

    4e316e27c53cdbe1c45f5dc77bdd077ec55a9c0b399dc0680f8d73e5f579b745

  • SHA512

    92a77bb261507efeb6c37254d0f94ce902e10587c0b13c336640ffc445ea2e31c9f80dbe32cfcd7ff6eb04fc844c0bc05c9725f7dc6cd70d1e3b7e53b62f9f2f

  • SSDEEP

    6144:W34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:WIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\4e316e27c53cdbe1c45f5dc77bdd077ec55a9c0b399dc0680f8d73e5f579b745.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1528
  • C:\Windows\system32\cmstp.exe
    C:\Windows\system32\cmstp.exe
    1⤵
      PID:1372
    • C:\Users\Admin\AppData\Local\ezKn\cmstp.exe
      C:\Users\Admin\AppData\Local\ezKn\cmstp.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4660
    • C:\Windows\system32\slui.exe
      C:\Windows\system32\slui.exe
      1⤵
        PID:2812
      • C:\Users\Admin\AppData\Local\LmLM9v\slui.exe
        C:\Users\Admin\AppData\Local\LmLM9v\slui.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3860
      • C:\Windows\system32\WFS.exe
        C:\Windows\system32\WFS.exe
        1⤵
          PID:4792
        • C:\Users\Admin\AppData\Local\nRr\WFS.exe
          C:\Users\Admin\AppData\Local\nRr\WFS.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1536

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\LmLM9v\SLC.dll
          Filesize

          672KB

          MD5

          ff246e4c9a0b940d65324f1327aae163

          SHA1

          bd6cbb344ab5d51392a7bb7f4098a2397002c25a

          SHA256

          a4196d23535472006dd24034e0b53efcc4355936e625fcd62203807807136bb8

          SHA512

          c0000182c29352551a3398885c6f0bcf23ddd6ca0c7753db6c13518c281d9a9dac4aae1573d3be8351f3d6c8397eb3eaf2d563b30a088565f7dcefdd4967962e

          Download Submit

        • C:\Users\Admin\AppData\Local\LmLM9v\slui.exe
          Filesize

          534KB

          MD5

          eb725ea35a13dc18eac46aa81e7f2841

          SHA1

          c0b3304c970324952e18c4a51073e3bdec73440b

          SHA256

          25e7624d469a592934ab8c509d12c153c2799e604c2a4b8a83650a7268577dff

          SHA512

          39192a1fad29654b3769f007298eff049d0688a3cb51390833ec563f44f9931cd3f6f8693db37b649b061b5aab379b166c15dade56d0fc414375243320375b26

          Download Submit

        • C:\Users\Admin\AppData\Local\ezKn\VERSION.dll
          Filesize

          672KB

          MD5

          c552cfbf73ee3c0d8dd09c34a4ef4e25

          SHA1

          11f5aaab68236c049325db59bf3c0a9baeb67471

          SHA256

          338871550886ac574bae9f6b1c58a74dafeb63454c480f607928dbd5f17d2a88

          SHA512

          26263e8111e6651f5d661abc1bda43b6b9975319a632c604b1f923a7f8fd188b3956674b0d78dc893c7e0239e5a180c8c8b7df50ea1f1e3d82ccd69fc0d57531

          Download Submit

        • C:\Users\Admin\AppData\Local\ezKn\cmstp.exe
          Filesize

          96KB

          MD5

          4cc43fe4d397ff79fa69f397e016df52

          SHA1

          8fd6cf81ad40c9b123cd75611860a8b95c72869c

          SHA256

          f2d3905ee38b2b5c0b724d582f14eb1db7621ffb8f3826df686a20784341614c

          SHA512

          851ef9fa5a03ec8b9fea0094c6e4bfa0b9e71cee3412ee86b2dfc34682aa5fb6455fefe7fc0092b711956d7c880cf8a5761b63ee990aa8e72f3473086ac0f157

          Download Submit

        • C:\Users\Admin\AppData\Local\nRr\WFS.exe
          Filesize

          944KB

          MD5

          3cbc8d0f65e3db6c76c119ed7c2ffd85

          SHA1

          e74f794d86196e3bbb852522479946cceeed7e01

          SHA256

          e23e4182efe7ed61aaf369696e1ce304c3818df33d1663872b6d3c75499d81f4

          SHA512

          26ae5845a804b9eb752078f1ffa80a476648a8a9508b4f7ba56c94acd4198f3ba59c77add4feb7e0420070222af56521ca5f6334f466d5db272c816930513f0a

          Download Submit

        • C:\Users\Admin\AppData\Local\nRr\credui.dll
          Filesize

          672KB

          MD5

          b7f873027194fd3d7ecc43c19f504db4

          SHA1

          577f4108fef35035c7edee72d7bcd19e77cfcde2

          SHA256

          97ab833b86fa696b8a77caeae4e955f65f783584425f38a89ec210faeb44f281

          SHA512

          3708ff6deb7519a3d35710d639db70154762c579e9caf61a89c71f29e3e63febbfa5055875b8ac9f73a44b4b9f00416552d23c44fb4518c59b21847769168ebb

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ltmfycbfnis.lnk
          Filesize

          1KB

          MD5

          f5bbf690c8d262263843ac1d7958affc

          SHA1

          46389b4771a3828521402bbbd2837a8b790db134

          SHA256

          0837b9012831d1e0791bbe668a072940cd7ed895b0dac647bfef607a2530fc20

          SHA512

          19628aae055b25b55c63e6c81cc0746b21d2152f151a92b1c5ab86e5e7cd8d06385b0db679d21bff0ca3015918f81358a804c26d626775005ae2de5d5236f8d4

          Download Submit

        • memory/1528-0-0x0000023A26B70000-0x0000023A26B77000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1528-2-0x00007FFCAE490000-0x00007FFCAE537000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1528-38-0x00007FFCAE490000-0x00007FFCAE537000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1536-81-0x00007FFC9DEB0000-0x00007FFC9DF58000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3632-8-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3632-13-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3632-10-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3632-11-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3632-9-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3632-25-0x00007FFCBCB60000-0x00007FFCBCB70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3632-7-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3632-15-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3632-6-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3632-35-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3632-26-0x00007FFCBCB50000-0x00007FFCBCB60000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3632-24-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3632-5-0x00007FFCBBE1A000-0x00007FFCBBE1B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3632-3-0x00000000027C0000-0x00000000027C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3632-12-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3632-16-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3632-23-0x00000000006E0000-0x00000000006E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3632-14-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3860-66-0x00007FFC9DEB0000-0x00007FFC9DF58000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3860-63-0x0000027FFD530000-0x0000027FFD537000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4660-50-0x00007FFC9DEB0000-0x00007FFC9DF58000-memory.dmp

          Filesize

          672KB

          Download

        • memory/4660-47-0x000002547B2F0000-0x000002547B2F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4660-45-0x00007FFC9DEB0000-0x00007FFC9DF58000-memory.dmp

          Filesize

          672KB

          Download